Information Exposure in Undertow Web Server Prior to 2.0.21
CVE-2019-3888

5.3MEDIUM

Key Information:

Vendor: Red Hat
Status: Undertow
Vendor: CVE Published:; 12 June 2019

What is CVE-2019-3888?

A vulnerability in the Undertow web server allows for the exposure of plaintext credentials through log files. This occurs when the HttpServerExchange object is logged at ERROR level, resulting in sensitive information being recorded in logs rather than being properly handled. This event is triggered by the Connectors.executeRootHandler method, posing potential risks to security as attackers could access this information if they gain access to log files.

Affected Version(s)

undertow 2.0.21

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3888

x_refsource_CONFIRM

http://www.securityfocus.com/bid/108739

vdb-entryx_refsource_BID

https://access.redhat.com/errata/RHSA-2019:2439

vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2019
Vulnerability Reserved
Jan 3, 2019

Red Hat

What is CVE-2019-3888?

Affected Version(s)

References

CVSS V3.1

Timeline